[Owasp-topten] RC feedback - Missing "Lack of anti-automation"

Colin Watson colin.watson at owasp.org
Fri Apr 14 15:40:37 UTC 2017


Topical story in the news today about Airbnb:

Airbnb account hijackers burgle homes
http://www.bbc.co.uk/news/technology-39589241

BBC reporting rash of burglaries of Airbnb hosts due to hacking of accounts
http://airhostsforum.com/t/bbc-reporting-rash-of-burglaries-of-airbnb-hosts-due-to-hacking-of-accounts/13180

Could be credential stuffing.

Colin



On 13 April 2017 at 19:59, Colin Watson <colin.watson at owasp.org> wrote:

> Thank you to everyone in the Top Ten project for all the effort in
> creating this RC.
>
> Last year when the data call was announced, we had some discussion on the
> Leaders' List about "lack of anti-automation":
>
> http://lists.owasp.org/pipermail/owasp-leaders/2016-June/016877.html
>
> As pointed out to me in that discussion, "lack of anti-automation" was
> included in the the 2013 Top 10 "Additional Risks to Consider":
>
> https://www.owasp.org/index.php/Top_10_2013-Details_About_Risk_Factors
>
> This item has been dropped from the 2017 RC1 completely - it is not in the
> top 10 or in the additional risks. And none of the other 2013 risks include
> these types of attack.
>
> I wonder if it is somehow meant to be included in A7 - the Automated
> Threats Project is mentioned as a reference for A7. However, I feel this
> may be incorrect since none of the threats in the scope of the Automated
> Threats project appear to be mentioned in the description, explanation or
> example attack scenarios for A7 in 2017 RC1. A7 seems to relate to
> exploitation of vulnerabilities.
>
> Our project's unwanted automated usage are not about exploitation of
> vulnerabilities, but instead often relate to misuse of inherent valid
> functionality. To that end I feel it odd that such automated threats appear
> neither in the 2017 RC1 Top 10, nor in the “additional risks to consider”.
>
> Whilst breach reporting does not provide comprehensive or representative
> coverage of attacks, the following recent major incidents indicate the
> types of issue:
>
>
> Tesco Bank account enumeration (40,000 accounts)
> http://www.coventrytelegraph.net/news/coventry-news/tesco-
> bank-fraud-what-you-12138631
>
> Credential stuffing attacks on other sites following LinkedIn and Yahoo
> breaches
> https://medium.com/@UnifyID/credential-stuffing-how-prc-
> almost-hacked-my-steam-2106a2f443e7
>
>
> Some developers and testers ignore or do not think about such threats, and
> therefore there is under reporting of these issues in many organisation’s
> pen test reports and issue logging, yet lead to significant ongoing pain to
> application owners/operators. I have never found any web application that
> isn't at risk from some automated threat (we have listed 20 types of
> threats, soon to be 21). The ease of exploitation is typically EASY
> (because the functionality is inherently built into the web application).
> Since automated threats can be a risk for many different types of
> functionality, my belief is the prevalence is just as common as XSS, so
> prevalence is WIDESPREAD and detectability is EASY. If exploited the impact
> is typically MODERATE, often affecting the application’s owner, and users
> and other parties.
>
> Regarding protections, in our project's Automated Threat Handbook we
> document 14 classes of countermeasures for automated threats – only a
> couple of which might be provided by something such as a WAF. Most
> countermeasure classes are actually much more relevant to development
> processes. Most do not appear in the "how do I prevent this" for A7, or any
> other risk, in 2017 RC1.
>
> Colin Watson
> Project co-leader
> OWASP Automated Threats to Web Applications Project
>
> https://www.owasp.org/index.php/OWASP_Automated_Threats_
> to_Web_Applications
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170414/688c0206/attachment.html>


More information about the Owasp-topten mailing list